Jump to content

Virus suspected in XP_INST_v04.7z


DigitalJ

Recommended Posts

It seems like this has been flagged as a virus by some engines, but not all, we'll all have to hold off to make sure we know for sure if the file is, or is not, infected with a virus or if a false positive is possible.

By the way, anyone can submit samples to most A/V vendors (there are usually instructions for each on their respective pages) and get a response within about 24 - 48 hours, depending on vendor. The file has been submitted to AVG, McAfee, Symantec, and Microsoft for analysis, and from there we'll see.

Link to comment
Share on other sites


  • 2 weeks later...

Got response from VBA32, at last, still expecting from several of the major vendors, strangely, response time is quite slow.

Kaspersky removed it from their signatures a while ago, although didn't respond to the emails.

On Sun, 21 Feb 2010 10:06:30 -0800

> The attached 2 files are incorrectly detected as

> Win32/TrojanDownloader.Agent. These are legitimate files, source code

> is included. Password for the archive is 'infected'. Files source and

> description:

>

>

> Please reanalyze and remove from virus signatures.

Hi,

FP will be fixed in one of the nearest updates.

Thank you in advance.

--

Regards, Mikhail S. Pobolovets

VirusBlokAda Ltd., Minsk, Belarus

http://www.anti-virus.by/en/

Link to comment
Share on other sites

Sophos 9 reports \WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\setup.exe & setup_dbg.exe as Mal/Generic-A

But I think its much about a false warning I dont get suspect activities here and Sophos usually detects a lot of stuffs not supposed to be on an enterprise computer

Edited by class101
Link to comment
Share on other sites

Sophos 9 reports \WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\setup.exe & setup_dbg.exe

But I think its much about a false warning

I'm convinced its a false warning.
How to checkout/compile with Git/MinGW the latest Qemu-0.11.x on Windows

Feel free to compile setup.c at MinGW too.

Link to comment
Share on other sites

  • 2 weeks later...

Another response, few weeks later, from GData:

Dear customer,

thank you for your request.

The 2 files, you send to as, are no longer detected as virus.

Please update your virus signatures.

Please refer your ticket-number 0000477284 when contacting us again regarding this matter.

With best regards

G Data-ServiceTeam

G Data Service GmbH * Kцnigsallee 178a

D-44799 Bochum, Germany * http://www.gdata.uk

Link to comment
Share on other sites

  • 2 months later...

Respect to the response time from Avira, 3 months and a half later :w00t:

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: INC00450039.

A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result

25587751 setup_dbg.ex_ 2.45 KB CLEAN

Please find a detailed report concerning each individual sample below:

Filename Result

setup_dbg.ex_ CLEAN

The file 'setup_dbg.ex_' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: INC00450038.

A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result

25587750 setup.ex_ 2.44 KB CLEAN

Please find a detailed report concerning each individual sample below:

Filename Result

setup.ex_ CLEAN

The file 'setup.ex_' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Link to comment
Share on other sites

  • 4 months later...

It turned out quite tricky to contact and report for a false positive some AV vendors. Currently at virustotal 19/43 still detect setup.exe as a virus:

http://www.virustotal.com/file-scan/report.html?id=aa68d27eeff208672bd0494a37ddf6f662135a965bb3387378cf43d605e54671-1288529982

Just got a response from Panda AV, waiting for the rest 18:

Dear customer,

After checking in our laboratory the message you submit, we inform you it contains no virus. The detection was caused due to a string coincidence.

The incidence is already solved in a Beta version of our Signature File (PAV.SIG), that you can download from the following URL:http://www.pandasecurity.com/homeusers/security-info/disclaimer/disclaimer

* If you have CloudAV, you don’t need to download the Beta version of our signature file (PAVSIG), it will be automatically updated in a few hours

We hope this answer has been helpful and do not hesitate to contact us should you need any suspicious file analyzed in future.

Best regards,

PandaLabs

virus@pandasecurity.com

Link to comment
Share on other sites

Does anyone have a registered McAfee AV? Would someone contact them and report for a false positive?

It's probably 10th email going back and forth and they keep asking me for registration email to move further on, although I keep explaining in those semi-automatic emails what the case is. Next I get referred to a web page to submit the sample, which web page doesn't re-analyse it as most other AV vendors did, but rather scans it using current signatures and supposedly gets detected.

Then I reply with the results to the semi-automatic email, where yet another guy puts his name on top of a similar answer and asks me again for registration :(

At least there is some progress, 19/43 a few days ago, now 13/43:

http://www.virustotal.com/file-scan/report.html?id=aa68d27eeff208672bd0494a37ddf6f662135a965bb3387378cf43d605e54671-1288757982

Link to comment
Share on other sites

  • 1 month later...

@ilko_t

If, for any reason, you don't do your computer properly seated on a chair :w00t:, please do take one and seat comfortably on it before accessing this :):

http://downloadcenter.mcafee.com/products/tools/foundstone/

Directory on McAfee site where free tools are available.

I was there getting a fresh copy of the excellent BinText utility (BinText303.zip) today, and noticed file (near the bottom of the list/page): warning.txt

I had a look at it:

PACKER DETECTION ALERT

The anti-virus scanner has detected a packer program. The file was not cleaned and has been removed.

Context: 'SharePointDiscovery.exe'

Detection(s): 'PE_Patch.Stolen.d (compressed file)'

See your system administrator for further information. Copyright 1999-2007 McAfee, Inc.All Rights Reserved.http://www.mcafee.com

Their Anti-virus detected a packer inside their own file!

...and obviously did NOT delete it as file SharePointDiscovery.exe has the same timestamp 21-Oct-2010 09:04 of warning.txt ...:whistle:

buehehe.gif

rofle.gif

jaclaz

Link to comment
Share on other sites

  • 10 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...